[OpenID] OpenID 2.0 spec security improvement suggestion
Breno de Medeiros
breno at google.com
Wed Mar 11 18:33:59 UTC 2009
On Wed, Mar 11, 2009 at 11:17 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:
> In OpenID 2.0 section 11.1, we see the following requirement regarding
> verifying the openid.return_to parameter:
>
> Any query parameters that are present in the "openid.return_to" URL MUST
> also be present with the same values in the URL of the HTTP request the RP
> received.
>
>
> But consider this incoming RP message: (I didn't bother properly URL
> encoding it since that would just make it harder to read)
>
> http://rp/authenticate?a=b&a=c&openid.return_to=http%3a%2f%2frp%2fauthenticate%3fa%3db&openid.*(other openid parameters)
>
> In the above GET request, the openid.return_to value has a decoded value
> of http://rp/authenticate?a=b. You can see that the incoming request
> matches the requirements as they all keys exist with the same values.
> However, some keys (specifically 'a' in this example) show up multiple
> times, and have different values. Depending on the library, this could have
> adverse security or undesirable altering affects.
>
> I wonder if we should enhance the 2.1 spec to say that the same keys must
> not appear more than they do in the return_to URL.
>
What if they appear a fewer number of times?
The correct language is that the set of parameter assignments "a=b", where
'a' is the key and 'b' is the value, that appear in the HTTP request the RP
received, and that are not OpenID parameters, should be identical to the set
of assignments present in the query part of the return_to URL in the
authentication response.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090311/35d4328f/attachment-0002.htm>
More information about the general
mailing list